[Bro] content gaps (Re: Notice.log)
Vern Paxson
vern at icir.org
Wed Dec 13 00:13:50 PST 2006
> I'm wondering what
> is actually indicated by content gap
A content gap occurs when Bro's TCP stream reassembler frees up memory
allocated to previous TCP segments and some of those segments were never
delivered (i.e., were never in-sequence). It generally indicates the
presence of measurement drops (similar to ack_above_hole), though can
also occur when running on traces that have been filtered.
> I would like to
> know what Content Gap means and the rate (> 1/175) or (> 1/1400).
It's not a rate but rather a range of sequence numbers, so in the
second case, it ranges for 1400 bytes starting at sequence #1 to.
Vern
More information about the Bro
mailing list